Cisco Nexus 9000 Series Configuration Manual page 205

Configuring 802.1X
Authentication Initiation and Message Exchange
supplicant to request its identity (typically, the authenticator sends an initial identity/request frame followed
by one or more requests for authentication information). When the supplicant receives the frame, it responds
with an EAP-response/identity frame.
If the supplicant does not receive an EAP-request/identity frame from the authenticator during bootup, the
supplicant can initiate authentication by sending an EAPOL-start frame, which prompts the authenticator to
request the supplicant's identity.
Note If 802.1X is not enabled or supported on the network access device, the Cisco NX-OS device drops any
EAPOL frames from the supplicant. If the supplicant does not receive an EAP-request/identity frame after
three attempts to start authentication, the supplicant transmits data as if the port is in the authorized state. A
port in the authorized state means that the supplicant has been successfully authenticated.
When the supplicant supplies its identity, the authenticator begins its role as the intermediary, passing EAP
frames between the supplicant and the authentication server until authentication succeeds or fails. If the
authentication succeeds, the authenticator port becomes authorized.
The specific exchange of EAP frames depends on the authentication method being used.
Figure 6: Message Exchange
This figure shows a message exchange initiated by the supplicant using the One-Time-Password (OTP)
authentication method with a RADIUS server. The OTP authentication device uses a secret pass-phrase to
generate a sequence of one-time (single use)
passwords.
The user's secret pass-phrase never crosses the network at any time such as during authentication or during
pass-phrase changes.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
179